最近要做客户端和服务器端的双向认证,在客户端向服务器端发送带证书的请求这里有一点问题,网上的例子大多都不太好使,于是找了github上httpclient源代码中的例子改造了一下,终于弄明白了

github上我参考的例子在:https://github.com/apache/httpclient/blob/4.5.x/httpclient/src/examples/org/apache/http/examples/client/ClientCustomSSL.java

下面先贴上我自己的代码(需要导入HttpClient等相关jar包),然后再说明

 

import org.apache.commons.io.IOUtils;
import org.apache.http.HttpEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.conn.ssl.TrustStrategy;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.util.EntityUtils;

import javax.net.ssl.SSLContext;
import java.io.File;
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

/*
 * Created with Intellij IDEA
 * USER: 焦一平
 * Date: 2016/5/8
 * Time: 1:10
 * To change this template use File | Settings | File Template
 */
public class SSLDemo {
    public static void main(String[] args) throws Exception {
        KeyStore keyStore = KeyStore.getInstance("PKCS12");
        keyStore.load(new FileInputStream(new File("C:\\Users\\Administrator\\Desktop\\jiaoyiping.p12")), "123456".toCharArray());
        SSLContext sslcontext = SSLContexts.custom()
                //忽略掉对服务器端证书的校验
                .loadTrustMaterial(new TrustStrategy() {
                    @Override
                    public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException {
                        return true;
                    }
                })
                
                //加载服务端提供的truststore(如果服务器提供truststore的话就不用忽略对服务器端证书的校验了)
                //.loadTrustMaterial(new File("D:\\truststore.jks"), "123456".toCharArray(),
                //        new TrustSelfSignedStrategy())
                .loadKeyMaterial(keyStore, "cmcc".toCharArray())
                .build();
        SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(
                sslcontext,
                new String[]{"TLSv1"},
                null,
                SSLConnectionSocketFactory.getDefaultHostnameVerifier());
        CloseableHttpClient httpclient = HttpClients.custom()
                .setSSLSocketFactory(sslConnectionSocketFactory)
                .build();

        try {

            HttpGet httpget = new HttpGet("https://10.2.5.116/PnsReceiver/ReceiveMessage");

            System.out.println("Executing request " + httpget.getRequestLine());

            CloseableHttpResponse response = httpclient.execute(httpget);
            try {
                HttpEntity entity = response.getEntity();
                System.out.println(response.getStatusLine());
                System.out.println(IOUtils.toString(entity.getContent()));
                EntityUtils.consume(entity);
            } finally {
                response.close();
            }
        } finally {
            httpclient.close();
        }
    }
}

 

 

SSLContexts.custom() 方法返回一个 SSLContextBuilder实例,来构建SSLContext,下面是SSLContextBuilder的方法列表:

其中:
loadKeyMaterial()重载方法是加载客户端证书用的
loadTrustMaterial()重载方法是加载服务器端相关信息用的(我们就是使用 loadTrustMaterial(TrustStrategy trustStrategy) 方法自己实现了一个信任策略,不对服务器端的证书进行校验),

在生成HttpClient的时候,指定相应的 SSLSocketFactory,之后,使用这个HttpClient发送的GET请求和POST请求就自动地附加上了证书信息

如果我们只需要忽略掉对服务器端证书的验证,而不需要发送客户端证书信息,在构建SSLContext的时候,只需要 loadTrustMaterial() 不需要 loadKeyMaterial()

关于客户端证书的类型问题:我们导出的pfx或者P12后缀的文件都是pkcs12类型的,根据java的文档,我找到了KeyStore支持的三种类型,如下图:



客户端如何只信任某个服务器端的证书信息 会在之后的文章中写

 

posted on 2016-05-08 02:27  梦中彩虹  阅读(37185)  评论(1编辑  收藏  举报